Disclaimer

The content of this material are challenges faced onsite and how I personally resolved them. Please be noted that solutions posted here

1> should not be considered as ultimate. The material may be considered for reference only.

2> should not be considered as guarantee that solutions may work. Contact Cyberoam support before making any changes.

3> blog does NOT belong to the Cyberoam. It's a blog...a personal blog.

Changes done after referring this site may seriously damage the network. So...

........DO CHANGES AT YOUR OWN RISK

(please contact cyberoamsupport before implementing any changes)

Monday, 14 May 2012

Cyberoam's WAF






Web Application Firewall.


In the continuation to my previous article where I mentioned about the new features released by Cyberoam, one of the key and important feature is that of Web Application Firewall. It is not a new term or technology in fact there are already UTMs and open source projects offering the Web application security. So you might be wondering what new Cyberoam is offering with this feature or some smart heads might be thinking that Cyberoam is catching up with its competitors. Yes, it could be true to an extent; however, the true mettle of the feature depends on what is on the offer and this where Cyberoam has more impact over its competitors.
WAF or Web application firewall is a plug-in, or a filter that scans any http connection with certain set of rules. In general, these set of rules are enough to overcome certain type of common attacks like SQL injection or Cross site scripting (XSS). Now, you can customize these set of rules in accordance to your knowledge and requirement which in turn can help you in indentifying and blocking various attacks. This is the point where Cyberoam scores over all other web application security solutions available in the market.


Why do we need a WAF?
Web or the World Wide Web is frequently referred to as the next battle ground. The countries around the globe nowadays fear that the next world war will be fought on the internet and attacking the web application servers will be one of the most important types of attack.
Despite the incident of dotcom bubble burst the dependency of the world on Web has not decreased. Web sites and web applications are growing rapidly. Businesses worldwide have moved on to use more and more complex applications on http. The phenomenal dependency of businesses on the web has made them prone to various attacks. Over the past decade or so we have seen a lot of increase in the hacking activity. Various attacks like, work attack, SQL injection have taken the toll of business to a much larger extent now.
Most of you might wonder that these attacks can also be stopped by a firewall then why do we need a WAF? However, the point is that a firewall cannot stop these attacks. Here is the list of attacks that a firewall cannot detect or stop: 


1.     URL interpretation attack
2.     Input validation attacks
3.     SQL injection attack
4.     Impersonation attacks
5.     Buffer over flow attacks
6.     Cross site scripting 


Above is just a partial list of attacks that cannot be stopped by your perimeter firewall. There are many other attacks that you firewall can never even detect off and your web services can easily fell prey to deadly hackers.
So, you cannot deny the fact that despite deploying a firewall in your network you need a WAF to protect the web server and web applications.


Cyberoam as a WAF:
Yes, now Cyberoam has an inbuilt feature of Web application Firewall. Cyberoam’s WAF helps in you in achieving the following major organizational concerns/questions with respect to the web services on offer:
1.     How can you secure your web applications?
2.     How can you insure that only authenticated users get access to the web services?
3.     How can you insure the acceleration and speed of the applications?
4.     How to insure the scalability of the web servers with the growing number of users?
5.     Validating the input of the users on the web forms?
However, before we talk more about Cyberoam as a WAF, Let us have a look at the challenges faced by current WAF products which are in the market.
The major challenge is in the form of too much of security, I mean to say, some products like Barracuda WAF provide too much of security that there have been instances that even legitimate users have been deprived of work. This actually may sound funny but it is true for many other products as well.
Other challenges can be listed as below:


1.     Penetration of database monitoring
2.     Prevention of hacking, data theft
3.     Provision to work as IDS(Intrusion Detection System)
4.     Notifying as well as rectifying the security loopholes.
5.     Prevention of cookie poisoning and session hijacking
6.     Less scanning time for the data
7.     Efficient and effective filtering of http/https requests
8.     Moulding itself to detect and prevent new attacks
9.     Customization of http/https scanning rules


While testing the Cyberoam WAF I found all the challenges being overcome. I tested it against my word press website linked to a JDBC. While products like Barracuda, Semantic, Citrix, Imperva etc failed in overcoming one or the other challenges listed above. However, Cyberoam has no reporting feature which actually is a point that goes against it when we compare it with dedicated WAF products.
I am more interested in testing Cyberoam’s WAF against Astaro’s WAF (Since Astaro is only UTM offering inbuilt WAF), where in as later uses signatures to detect and prevent attacks. I have never been a great fan of technologies using signatures and this is no deferent. The huge issue I see with signatures is that they need to be updated regularly which is a big overhead. Since Cyberoam uses intuitive active and passive modes to detect and prevent attacks it is far more effective and efficient then Astaro.
Cyberoam’s WAF is so intelligent that in real time environment it is quickly able to notice the behaviour if web applications that you have in your network and then it moulds itself to protect them automatically. How does it do so? It is still a mystery. May be I can get a hint from Cyberoam support.




1 comment:

  1. So when do we have the CR WAF against Sophos (Astaro) WAF results?

    ReplyDelete